Lessons Learned from the Target Breach

Jon Oltsik

3.  Incident response has become a cybersecurity bottleneck.  Information security best practices put a lot of emphasis on incident prevention with things like hardened system configurations, access controls, antivirus software, etc.  Around 2010, APTs demonstrated that the bad guys were pretty adept at circumventing existing security controls, so the industry turned its attention to all kinds of tools and analytics for incident detection.  Okay, we're now addressing two-thirds of the process but what about incident response?  Unfortunately, it's hard to deal with this quagmire because incident response is highly specialized and requires precise details about network assets, traffic patterns, historical behavior, system configurations, etc.  When the Target SOC team received alerts from FireEye and India, they had a choice - investigate the alerts (i.e. when did they happen, which systems were impacted, which IP addresses did the compromised systems contact, what changes were made to these systems, etc.), or dismiss them as false positives.  It takes time, skills, and diligence to perform this type of investigation.  Yes, security analytics can help here but you still need people who know what the data is telling them.  The Target team failed to do the necessary grunt work, placed a bet on "false positive," and lost. 

4.  Basic blocking and tackling is still important.  I'll be the first person to admit that cybersecurity has become a highly complex discipline requiring advanced technical skills.  That said, it's easy to get carried away with science fiction and forget the basics.  For example, Target could have isolated its partner portal in the DMZ or on a VLAN with no access to the production network.  Additionally, Target could have installed application control software on its POS systems (which are Windows PCs under the covers), to block all unapproved software from installing.  Finally, Target should have changed the default password on the BMC software, required multi-factor administrator authentication, and monitored all privileged user activity.  This is cybersecurity 101 and is still necessary. 

As more details come out, Target will likely remain the poster boy for cybersecurity ineptness.  Clearly the company deserves some of this ridicule but I can tell you from experience and volumes of research that the issues described above and in the Senate report are far more common than most people think.  It's likely that the focus on Target will quickly fade when the next big breach occurs.  Given the state of cybersecurity, it is likely to happen at any time. 

Source: Network World

Previous Page  1  2